On Sun, Jul 19, 2009 at 4:18 PM, Arjan van de Ven<arjan@infradead.org> wrote:> On Sun, 19 Jul 2009 15:43:06 -0400> Siarhei Liakh <sliakh.lkml@gmail.com> wrote:>>> This patch expands functionality of CONFIG_DEBUG_RODATA to set main>> (static) kernel data area as NX.>> The following steps are taken to achieve this:>> 1. Linker scripts are adjusted so .text always starts and end on a>> page boundary 2. Linker scripts are adjusted so .rodata and .data>> always starts and end on a page boundary>> 3. void mark_nxdata_nx(void) added to arch/x86/mm/init_64.c and>> arch/x86/mm/init_32.c with actual functionality: NX is set for all>> pages from _etext through _edata>> 4. mark_nxdata_nx() called from init_post(void) in init/main.c>>>> The patch have been developed for Linux 2.6.30 x86 by Siarhei Liakh>> <sliakh.lkml@gmail.com> and Xuxian Jiang <jiang@cs.ncsu.edu>.>> I like the idea, and am happy to see the lack of ifdefs ;)

I was thinking about ifdefs, but could not find a place to put them in ;)

> I wonder if we should have a testcase for this though similar to> how stackprotector and rodata get tested already....

We probably should. In addition, after looking at the code for awhile, it seems to me that the proper place to enable protection wouldbe kernel_physical_mapping_init(). This way the kernel could enjoyprotection from the very beginning of init, instead of turning it onat the end.